[VOIPSEC] Cisco 7920 wireless IP Phones
Keith Stevenson
keith.stevenson at louisville.edu
Thu May 26 08:35:05 CDT 2005
Airsnarf and its cousins are remarkable tools and should be looked at by
anyone who is engineering a wireless network. As you have pointed out,
they are real eye-openers.
These MITM attacks rely on the carelessness of the end user in verifying
the authenticity of the TLS certificate that is presented to them. As
long as the end user plays a role in deciding whether or not to accept a
cryptographic certificate, this type of attack will be very successful.
In a managed wireless deployment this sort of attack can easily be
mitigated by having both the client and the AP mutually authenticate
each other. EAP/TLS and EAP/TTLS are both examples of mutually
authenticating protocols that are resistant to MITM attacks. In a
campus/corporate environment this sort of deployment is the only
sensible way to deploy wireless. You're never going to see this in a
public hotspot however, since it completely defeats the purpose of a
"public" hotspot.
Regards,
--Keith Stevenson--
Christopher A. Martin wrote:
> TLS is SSL all grown up.
>
> SSL and SSH can be hijacked (MiM, Man in the middle) by hacker tools
> crafted specifically for VoIP. A good example of ssl hijacking is a tool
> called airsnarf.
>
> http://airsnarf.shmoo.com/
>
> I believe that this would be a trivial task to convert to SIP since it
> is merely a cousin to html.
>
> The author, Beetle, gave some very good demonstrations of how easy it is
> to break "ANY" wireless encryption/protection scheme and, with this
> tool, hijack any ssl/tls encrypted page to capture authentication/credit
> card or any other info that was supposed to be encrypted. Over two days
> he was able to show a class of about 60 people, many new to wireless how
> to do the same thing.
>
> When I say that IPSec adds too much overhead I refer to the fact that,
> due to encapsulation, IPSec adds approximately 40% additional overhead
> to an IP packet and often fragmentation due to packets that need to be
> fragmented for encapsulation.
More information about the Voipsec
mailing list